Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcDdmLWdyY3YtNm1qZs0V2Q
Partial path traversal in sharpcompress
SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However it is not enforced that fullDestinationDirectoryPath ends with slash:
public static void WriteEntryToDirectory(IEntry entry,
string destinationDirectory,
ExtractionOptions? options,
Action<string, ExtractionOptions?> write)
{
string destinationFileName;
string file = Path.GetFileName(entry.Key);
string fullDestinationDirectoryPath = Path.GetFullPath(destinationDirectory);
...
throw new ExtractionException("Entry is trying to write a file outside of the destination directory.");
}
If the destinationDirectory is not slash terminated like /home/user/dir it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. /home/user/dir.sh.
Impact
Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case.
Permalink: https://github.com/advisories/GHSA-jp7f-grcv-6mjfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcDdmLWdyY3YtNm1qZs0V2Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-jp7f-grcv-6mjf, CVE-2021-39208
References:
- https://github.com/adamhathcock/sharpcompress/security/advisories/GHSA-jp7f-grcv-6mjf
- https://nvd.nist.gov/vuln/detail/CVE-2021-39208
- https://github.com/adamhathcock/sharpcompress/pull/614
- https://github.com/adamhathcock/sharpcompress/releases/tag/0.29.0
- https://github.com/advisories/GHSA-jp7f-grcv-6mjf
Blast Radius: 10.1
Affected Packages
nuget:sharpcompress
Dependent packages: 40Dependent repositories: 219
Downloads: 159,362,153 total
Affected Version Ranges: < 0.29
Fixed in: 0.29
All affected versions: 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.1, 0.18.0, 0.18.1, 0.18.2, 0.19.0, 0.19.1, 0.19.2, 0.20.0, 0.21.0, 0.21.1, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.25.1, 0.26.0, 0.27.0, 0.27.1, 0.28.0, 0.28.1, 0.28.2, 0.28.3
All unaffected versions: 0.29.0, 0.30.0, 0.30.1, 0.31.0, 0.32.0, 0.32.1, 0.32.2, 0.33.0, 0.34.0, 0.34.1, 0.34.2, 0.35.0, 0.36.0, 0.37.0, 0.37.1, 0.37.2